moonming opened a new pull request, #3409:
URL: https://github.com/apache/apisix-dashboard/pull/3409

   ### Summary
   
   Bumps the pinned package manager from `[email protected]` to `[email protected]`.
   
   `10.10.0` falls within the affected ranges of several pnpm supply-chain 
advisories disclosed in June 2026. Bumping to `10.34.4` moves us out of all of 
them:
   
   | Advisory | Severity | Patched |
   |---|---|---|
   | [GHSA-w466-c33r-3gjp](https://github.com/advisories/GHSA-w466-c33r-3gjp) — 
env lockfile can short-circuit package-manager resolution and execute 
lockfile-selected pnpm bytes | High | 10.34.2 |
   | [GHSA-gj8w-mvpf-x27x](https://github.com/advisories/GHSA-gj8w-mvpf-x27x) — 
repository-controlled `configDependencies` can select a pacquet native install 
engine | High | 10.34.2 |
   | [GHSA-3qhv-2rgh-x77r](https://github.com/advisories/GHSA-3qhv-2rgh-x77r) — 
repository config can expand environment secrets into registry requests before 
scripts run | Medium | 10.34.2 |
   | [GHSA-5wx6-mg75-v57r](https://github.com/advisories/GHSA-5wx6-mg75-v57r) — 
manifest identity spoof satisfies `allowBuilds` and runs attacker lifecycle 
scripts | High | 10.34.2 |
   | [GHSA-qrv3-253h-g69c](https://github.com/advisories/GHSA-qrv3-253h-g69c) — 
path traversal in `configDependencies` env lockfile allows symlink creation 
outside `node_modules/.pnpm-config` | High | 10.34.4 |
   
   `10.34.4` is the lowest release that covers all five (the path-traversal fix 
landed in 10.34.4; the others in 10.34.2).
   
   ### Changes
   
   - `package.json`: `packageManager` → `[email protected]` with the SHA-512 
integrity of the 10.34.4 npm tarball.
   
   No dependency or `pnpm-lock.yaml` changes are required — all pnpm 10.x 
releases share lockfile v9, and no dependencies change.
   
   ### Notes
   
   There is no evidence this repository was compromised; these are design-level 
advisories with no malicious-package IOCs. This is a precautionary version bump 
out of the affected range.
   
   ### Checklist
   
   - [x] Did you explain what problem does this PR solve? Or what new features 
/ functionality will this PR add?
   - [x] Did you add corresponding test cases? — N/A, package-manager version 
bump only.
   - [x] Did you update the corresponding documentation? — N/A.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to